Is the version of OpenSSH or the version of OpenSSL (or a combination of the two) that is installed on a given system what determines which Ciphers, KexAlgorithms, and MACs are available to be configured for use?

Background: We have a legacy process that is using SSH/SFTP to exchange data between an outside organization and ours. The outside organization is going to begin enforcing the use of stronger crytographic algorithms. No surprise, the instance of either OpenSSH or OpenSSL installed on our end is not up to snuff.

Trying to figure out where I would need to look to determine what minimum level I need to make this work in the short term. What version of which package would carry a given algorithm?